What version of Keycloak is this?
On 3 January 2017 at 15:10, John Dennis <jdennis(a)redhat.com> wrote:
On 12/27/2016 08:52 AM, Rashmi Singh wrote:
> Hi All, Just a reminder if some insights/help could be provided on my
SAML
> request and the issue I am facing.
What Rashmi failed to mention is that after submitting the SAML
AuthnRequest to Keycloak the response was a server 500 error. I asked
him to look for any backtraces that appeared in the Keycloak log after
receiving the AuthnRequest which he did and included here.
To the best of my knowledge the AuthnRequest is well formed but even if
it wasn't the response should have been a SAML Response with an error,
not a HTTP 500 status code.
What we need to figure out is why Keycloak is throwing an uncaught
exception resulting in the HTTP 500 status code.
ECP requires either basic or digest authentication on the endpoint
processing the AuthnRequest. My suspicion based on the "Failed
authentication" message at the beginning of the backtrace is either the
authentication did not occur on the endpoint or there was a failure to
record the authentication occurred and was successful, just a guess.
>
> On Fri, Dec 23, 2016 at 9:01 PM, Rashmi Singh <singhrasster(a)gmail.com>
> wrote:
>
>> Hi All,
>>
>> I am using ecp.sh (provided by keycloak team, ofcourse with changes on
>> idp_endpoint based on my keycloak environment) to perform
authentication.
Just to clarify, ecp.sh was not provided by the keycloak team. I
provided it to Rashmi. It's a script I've used in the past to test ECP.
>> I am using spring saml SP and keycloak IDP. I enabled ecp on the SP side
>> and then I execute ecp.sh script as:
>>
>> ./ecp.sh -d rhsso
http://192.168.99.100:8888/saml-sp/first.jsp newuser4
>>
>>
>> My idp_endpoint is: "http://192.168.99.100:9990/auth/realms/xxxxxxxxxx/
>> protocol/saml"
>> where xxxxxxxxxx is my realm (replaced my realm with xxxxxxxxxx for this
>> email)
>>
>> The script prompts me to enter password and then it sends an auth
request
>> to keycloak IDP.
>>
>> Now, something goes wrong at the IDP.
>> I enabled saml logs on keycloak to see the incoming request and the
>> following error from the logs:
>>
>> 00:51:40,656 DEBUG [org.keycloak.saml.SAMLRequestParser] (default
task-2)
>> SAML POST Binding
>> 00:51:40,656 DEBUG [org.keycloak.saml.SAMLRequestParser] (default
task-2)
>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:
tc:SAML:2.0:protocol"
>> AssertionConsumerServiceURL="http://192.168.99.100:8888/
saml-sp/saml/SSO"
>> ForceAuthn="false" ID="a31ah57718g27gd149da6jeb08620ig"
IsPassive="false"
>> IssueInstant="2016-12-24T00:51:34.799Z"
ProtocolBinding="urn:oasis:
>> names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
>> <saml2:Issuer xmlns:saml2="urn:oasis:names:
tc:SAML:2.0:assertion">http://
>> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
>> <ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/
>> 2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
Algorithm="http://www.w3.org/
2000/09/xmldsig#rsa-sha1
>> "/>
>> <ds:Reference URI="#a31ah57718g27gd149da6jeb08620ig">
>> <ds:Transforms>
>> <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
>> signature"/>
>> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>nfLQ9IFs9IFnSgw3HHHKuPkAbRY=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>iULSwpjBb38Vmtan4ZIocRx4PNr6fHRuhVbL+
>> 7yXNz3wqjlSavtk7haUiADwUS2cTofRM5KDzUvIkaQPXBZqEkz2xnrhpNj71
>> eIqJ6H4ZqW3mpvP8Bk9z3VEmcEQhZSd6j8rMf4JOdIBRtE7cea0wJhuQ1Uds
>> HdcKeIdp+wuRvn8t9vS/mPKd9GAt11JpC+bgMQS0MDy+r1+AZof2+
>> XMyMuwECVIkouTzwlgKDEmgvQh6Aq61f+QzIeeZ9+3efwJyIH61x7J4CaiSTpesezlXx8UQ
>> nqIL+AToL1OFHSp2bgXXxkP1rHSkyNM34Eg92LmI5cN3oBfQDR8r+mCoEctWA==</
>> ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:X509Data>
>> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBg
>> kqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYT
>> ERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeT
>> EMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyOD
>> AxWhcNMjIxMjMwMTEyODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVX
>> VzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2
>> FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wggEiMA0GCS
>> qGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrD
>> tUt00E5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/
>> yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/
>> rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7KqxpHx6No83WNZj4B
>> 3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/
>> KSaal3R26pONUUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/
>> R93vBA6lnl5nTctZIRsyg0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQ
>> wAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL82IvnKouGixGq
>> AcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGO
>> M6A8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/
>> dgixKb1Rvby/tBuRogWgPONNSACiW+Z5o8UdAOqNMZQozD/
>> i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEWbHwSoBy5hLPNALaE
>> Uoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/
>> GuHE=</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </saml2p:AuthnRequest>
>>
>> 00:51:41,265 DEBUG [org.keycloak.saml.common] (default task-2) The
>> provider ApacheXMLDSig - 2.05 was added at position: 2
>> 00:51:41,545 WARN [org.keycloak.services] (default task-2)
>> KC-SERVICES0013: Failed authentication: org.keycloak.authentication.
>> AuthenticationFlowException
>> at org.keycloak.authentication.DefaultAuthenticationFlow.
>> processResult(DefaultAuthenticationFlow.java:242)
>> at org.keycloak.authentication.DefaultAuthenticationFlow.
>> processFlow(DefaultAuthenticationFlow.java:185)
>> at org.keycloak.authentication.AuthenticationProcessor.
>> authenticateOnly(AuthenticationProcessor.java:792)
>> at org.keycloak.protocol.AuthorizationEndpointBase.
>> handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:100)
>> at org.keycloak.protocol.saml.SamlService.
>> newBrowserAuthentication(SamlService.java:505)
>> at org.keycloak.protocol.saml.profile.ecp.
SamlEcpProfileService.
>> newBrowserAuthentication(SamlEcpProfileService.java:89)
>> at org.keycloak.protocol.saml.SamlService.
>> newBrowserAuthentication(SamlService.java:501)
>> at org.keycloak.protocol.saml.SamlService$BindingProtocol.
>> loginRequest(SamlService.java:297)
>> at org.keycloak.protocol.saml.profile.ecp.
SamlEcpProfileService$1.
>> loginRequest(SamlEcpProfileService.java:72)
>> at org.keycloak.protocol.saml.SamlService$BindingProtocol.
>> handleSamlRequest(SamlService.java:209)
>> at org.keycloak.protocol.saml.SamlService$
>> PostBindingProtocol.execute(SamlService.java:453)
>> at org.keycloak.protocol.saml.profile.ecp.
SamlEcpProfileService.
>> authenticate(SamlEcpProfileService.java:74)
>> at org.keycloak.protocol.saml.SamlService.soapBinding(
>> SamlService.java:619)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>> MethodInjectorImpl.java:139)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.
invokeOnTarget(
>> ResourceMethodInvoker.java:295)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>> ResourceMethodInvoker.java:249)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> ResourceLocatorInvoker.java:101)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:395)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:202)
>> at org.jboss.resteasy.plugins.server.servlet.
>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>> at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(
>> ServletHandler.java:85)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:129)
>> at org.keycloak.services.filters.KeycloakSessionServletFilter.
>> doFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(
>> ManagedFilter.java:60)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:131)
>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(
>> FilterHandler.java:84)
>> at io.undertow.servlet.handlers.security.
>> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>> java:62)
>> at io.undertow.servlet.handlers.ServletDispatchingHandler.
>> handleRequest(ServletDispatchingHandler.java:36)
>> at org.wildfly.extension.undertow.security.
>> SecurityContextAssociationHandler.handleRequest(
>> SecurityContextAssociationHandler.java:78)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.servlet.handlers.security.
>> SSLInformationAssociationHandler.handleRequest(
>> SSLInformationAssociationHandler.java:131)
>> at io.undertow.servlet.handlers.security.
>> ServletAuthenticationCallHandler.handleRequest(
>> ServletAuthenticationCallHandler.java:57)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.
>> ServletConfidentialityConstraintHandler.handleRequest(
>> ServletConfidentialityConstraintHandler.java:64)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.
>> CachedAuthenticatedSessionHandler.handleRequest(
>> CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.
>> handleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>> tionHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.
>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.
>> handleFirstRequest(ServletInitialHandler.java:284)
>> at io.undertow.servlet.handlers.ServletInitialHandler.
>> dispatchRequest(ServletInitialHandler.java:263)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$
>> 000(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.
>> handleRequest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>> java:202)
>> at io.undertow.server.HttpServerExchange$1.run(
>> HttpServerExchange.java:793)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> 00:51:41,548 WARN [org.keycloak.events] (default task-2)
>> type=LOGIN_ERROR, realmId=O4ZR9N2V6U, clientId=http://192.168.99.
>> 100:8888/saml-sp/saml/metadata, userId=null, ipAddress=192.168.99.1,
>> error=in
>> valid_user_credentials, auth_method=saml, redirect_uri=http://192.168.
>> 99.100:8888/saml-sp/saml/SSO, code_id=fa04e6ff-3767-419c-
a5bf-7bc2c94e8300
>>
>>
>> I am a bit lost here on what is wrong. Does this request I pasted above
>> look correct? If not, let me know what is wrong/missing there. Also, my
>> understanding is that I don't need to enable anything on keycloak for
this.
>> I was earlier able to do browser based authentication using this same
saml
>> SP, IDP and the user. Then, I enabled ECP on SP to test authentication
>> using ecp.sh script but I encountered the above error and output. I
would
>> appreciate any help or pointers on this.
>>
>>
>>
>>
>>
>>
>>
>>
>> Also, for reference, this is the SP response (I printed the $sp_resp
>> variable in ecp.sh):
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soap11:Envelope xmlns:soap11="http://schemas.
xmlsoap.org/soap/envelope/">
>> <soap11:Header>
>> <paos:Request xmlns:paos="urn:liberty:paos:2003-08"
responseConsumerURL="
>>
http://192.168.99.100:8888/saml-sp/saml/SSO"
service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
>>
soap11:actor="http://schemas.xmlsoap.org/soap/actor/next"
>> soap11:mustUnderstand="1"/>
>> <ecp:Request
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
>> IsPassive="false" soap11:actor="http://schemas.
xmlsoap.org/soap/actor/next"
>> soap11:mustUnderstand="1">
>> <saml2:Issuer xmlns:saml2="urn:oasis:names:
tc:SAML:2.0:assertion">http://
>> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
>> </ecp:Request>
>> </soap11:Header>
>> <soap11:Body>
>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:
tc:SAML:2.0:protocol"
>> AssertionConsumerServiceURL="http://192.168.99.100:8888/
saml-sp/saml/SSO"
>> ForceAuthn="false" ID="a1bj9ed5f38c4c1f1331hifbg36363"
IsPassive="false"
>> IssueInstant="2016-12-24T01:14:48.538Z"
ProtocolBinding="urn:oasis:
>> names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
>> <saml2:Issuer xmlns:saml2="urn:oasis:names:
tc:SAML:2.0:assertion">http://
>> 192.168.99.100:8888/saml-sp/saml/metadata</saml2:Issuer>
>> <ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/
>> 2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
Algorithm="http://www.w3.org/
2000/09/xmldsig#rsa-sha1
>> "/>
>> <ds:Reference URI="#a1bj9ed5f38c4c1f1331hifbg36363">
>> <ds:Transforms>
>> <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
>> signature"/>
>> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>sOgymsP3qFQ4QQFiGP7oUjtutUw=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>ZGxJgqOcGe2XarIF1JtfjikRmpsIjg
lB4mKeYdfUbwUavtH25XgZ/
>> YmgTDFlCYbq2piAM0NvibcyPtXjgX26zATtWJg3URqHpqWclccql8I5arrVf
>> kHTKUQxIx0Rk9bxxytsS012SptubO9F4a+b4LAWoaE9L4IymGVtLpZRLYRL2rhhj
>> wIehT/hSXTWWNRWrLWYb03klaCp/1hZIEUIUW1nyeveyWfaeN1LF7BJ63y
>> MdWOrtUEaF388chUcg1dpFB7HeYq1Q5GCYyEsFk3yi1CEcZ/
>> qeXyfbHAwixFOG0pPNyeunn6QDZzFD8sSVepXzuFLb8MuuthNYSb0hVLrwQ=
>> =</ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:X509Data>
>> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBg
>> kqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
>> CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBT
b2Z0d2FyZSBPeTEM
>> MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAx
WhcNMjIxMjMwMTEy
>> ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UE
BxMISGVsc2lua2kx
>> GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYD
VQQDEwZhcG9sbG8w
>> ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0
alwsLafhrDtUt00E
>> 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEK
WF5Z13
>> F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7
QghBuxh3K5gu7K
>> qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1i
PQ/KSaal3R26pON
>> UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/
R93vBA6lnl5nTctZIRsyg
>> 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/
RRcB8bMAUUIG0hLGL
>> 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNR
ttir6eyqwRFGOM6A
>> 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/
dgixKb1Rvby/tBu
>> RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXef
xCFQ69FPcFDeEW
>> bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+
>> Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </saml2p:AuthnRequest>
>> </soap11:Body>
>> </soap11:Envelope>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
John
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev